UAE Banks End SMS OTPs in 2026: A New Era of Secure Digital Payments
UAE to End SMS OTPs for Online Payments in 2026

The familiar ping of an SMS, delivering a six-digit code to authorise an online purchase, is set to fade into history for residents of the United Arab Emirates. This cornerstone of digital security is being retired in favour of a far more robust system. In a decisive move to combat rising cybercrime, several major UAE banks will officially cease sending One-Time Passwords via text message for online card transactions starting January 6, 2026.

Why UAE is Phasing Out SMS-Based Authentication

This sweeping change is not a simple policy tweak but a mandated security revolution driven by the Central Bank of the UAE (CBUAE). For years, SMS OTPs were the default for two-factor authentication. However, their vulnerability on open telecom networks has become a critical weakness exploited by sophisticated fraudsters. The central bank's directive, formalised in Notice 2025/3057, bans SMS and email OTPs as a standalone security method.

The shift addresses three primary fraud techniques that led to billions in global losses:

  • SIM-Swap Scams: Criminals hijack a victim's mobile number to receive OTPs directly.
  • Phishing Attacks: Fake websites trick users into surrendering their codes.
  • Message Interception: Exploitation of legacy telecom protocols to capture SMS in transit.

With a notable jump in such scams within the UAE, the regulator is pushing for a mobile-first, closed-loop authentication system that leaves no room for network-based interception.

Embracing the Future: How In-App Approval Works

The new standard is In-App Authentication. This process integrates seamlessly with your bank's official mobile application, making transactions both more secure and convenient. Here is the new payment journey:

  1. You initiate a payment on any e-commerce site or app.
  2. Instantly, a push notification from your bank's app appears on your phone.
  3. Tapping it opens the app, displaying the merchant's name and transaction amount for clear verification.
  4. You approve the payment using biometric data (Face ID or fingerprint) or your secure Smart Pass PIN.

This method ensures the person authorising the payment is in physical possession of the registered, trusted device. It also eliminates issues faced by travellers who frequently cannot receive SMS while roaming abroad.

Action Required: How UAE Residents Must Prepare

Every resident who uses online banking or shops digitally must take proactive steps before the deadline. Failure to do so will result in declined transactions, as SMS codes will no longer be a valid verification method.

The preparation checklist is straightforward:

  • Update your bank's mobile application to the latest version available.
  • Enable push notifications and biometric login (fingerprint/facial recognition) within the app's settings.
  • Log in and complete any pending authentication setup well before January 6, 2026.

Banks are urging customers to migrate early to avoid last-minute disruptions. This change is part of a larger CBUAE plan to fortify the nation's digital banking infrastructure, with a final deadline for all banks set for March 2026. By adopting encrypted, in-app channels with biometric verification, the UAE aims to set a global benchmark for secure, user-friendly digital payments, significantly reducing fraud and aligning with international best practices.